Friday, March 28, 2014

Ransomware Challenges Posed by Cyber Criminals

Ransomware
dates back to 1989 with the AIDS Trojan, which would modify the
autoexec.bat file and once a computer booted 90 times the malware would
begin to hide directories and encrypt the names of all files. It would
then prompt the user to renew their license and contact PC Cyborg
Corporation for $189.00 payment. This had to be sent to a P.O. Box in
Panama (Smith, 2002). Today the number of unique new samples of
ransomware malware is almost 250,000 in the first three months of 2013.
This has doubled from the first quarter of 2012. Even more troubling is
the reported number of infections. The visibility on infection data is
limited because client machines share detection only with McAfee. There
are two main reasons for the increased popularity of Ransomware: (1)
Cybercriminals have easy access to anonymous payment systems, such as
bitcoin; (2) There is a thriving underground market that helps with
pay-per-install services on pre-infected computers, such as Citadel.
Cyber criminals can also easily purchase ransomware kits, such as
Lyposit, from the underground markets (McAfee Labs, 2013a, p. 12).
There
are two main categories of ransomware today: Non-encrypting and
Encrypting. The Reveton Trojan is one of the better known non-encrypting
ransomware viruses. The FBI sent an alert on August 9, 2012 discussing
this new drive-by ransomware virus (The FBI, 2012). Reveton works by
infecting and subsequently hijacking host machines. Once hijacked, it
displays a threatening message that appears to be coming from law
enforcement, such as the FBI, to the user. Reveton also blocks the user
from doing anything else on their computer until they pay the fine or
find a way to remove the virus. Reveton is being distributed by Citadel
and also using BlackHole to directly infect vulnerable systems.
Screenshots from one malware gang showed payments received from MoneyPak
ranging from $34,500.00 to $54,000.00 per day. This virus is extremely
difficult to remove and is a good example of why people need to have
up-to-date antivirus software installed and backup their data. If
infected the only way to reliably clean the computer with such
sophisticated infections is to do a complete rebuild (Krebs, 2012).

The
second category, encrypted ransomware, is more advanced and is the
latest ransomware being used by cyber criminals to infect traditional
host computers: Laptops and Desktops. The most recent encryption
ransomware is CryptoLocker. The FBI sent an alert on November 8, 2013
(The FBI, 2013). US-CERT released Alert (TA13-309A) on November 5, 2013
and list two ways CryptoLocker infects victim’s computers. The first is
through phishing emails that appear to come from legitimate businesses
or FedEx/UPS providing tracking numbers. The second is through botnets
on previously infected computers. Even more menacing is that
CryptoLocker quickly evolved from a virus to a worm and can now
self-propagate. The malware can search for and encrypt files located
within shared drives, sanitization-resistant media (e.g. USB drives),
external HDDs, network file shares and cloud storage. Victim files are
encrypted using RSA-2048 public-key cryptography (US-CERT, 2013). ZDNet
traced 4 different Bitcoin addresses reported by infected users of
CryptoLocker which showed earnings of $27,000,000 from October 15 to
December 18, 2013 at the current USD exchange rate (Blue, 2013). There
is no known way to decrypt once the files are encrypted and the FBI
recommends having the machine scrubbed and rebuilt from backups (The
FBI, 2013). Given the worm capabilities of CryptoLocker it would be a
better practice to restore from offline backups.

The outlook for
2014 will provide even a greater challenge. According to McAfee Labs
2014 Threats Prediction report, the proliferation of Ransomware attacks
will begin in earnest on mobile devices (McAfee Labs, 2013b, p. 3).
There are 6.8 billion mobile subscriptions worldwide in 2012, up from
6.0 billion in 2011, and 5.4 billion in 2010. This almost out numbers
the ITU estimated 7.1 billion people in the world (MobiThinking, 2013).
With Ransomware on mobile devices in 2014, the number of host devices
that can be targeted is enormous and a target rich environment for cyber
criminals. Virtual currencies are also a reason 2014 ransomware attacks
look to increase significantly with new variants, as well as the
targets spreading to enterprise networks to encrypt corporate assets
(McAfee Labs, 2013b, p. 3).

There are ways to defend against
Ransomware. Keeping host level Unified Threat Management (UTM) software
up-to-date is still a good countermeasure. This is because ransomware
payload is unique, but the distribution methods are not. Some examples
of distribution methods are: (1) drive-by downloads via phishing emails;
(2) spam; and (3) infected applications (McAfee Labs, 2013b, p. 3). In
addition to standard anti-malware and offline backups to restore
infected computers there are new technologies out there. Bromium has
developed an innovative end-point protection system that uses
micro-virtualization (Innovation: Micro-virtualization, n.d.) and task
introspection (Innovation: Task Introspection, n.d.) done in real time.
While this technology is more for enterprises, there will be a time in
the future when ISPs adopt similar technologies. Until then, home users
and companies with smaller budgets will need to rely on the more
traditional security controls mentioned which is still very effective
when implemented properly and kept up-to-date.

Ransomware has been
around for about 25 years, but the number of variants is now doubling
year over year, with the latest report showing 250,000 variants in just
the first 3 months of 2013. This shows that there is great interest by
cyber criminals and there are 10’s of millions of dollars in profit to
be made. The sophistication of ransomware is now at the level where it
uses unbreakable asymmetric encryption with self-propagation capability.
This poses a severe risk to end point computers and emphasizes the need
for all users and organizations to have proper security controls
implemented and incident response capabilities. For end users this could
be traditional UTM antivirus software such as Norton 360 and restore
from offline backups. Given the advanced capabilities of ransomware to
encrypt and propagate, having backup drives connected or in the cloud
opens the risk that even the backups will be encrypted by the worm
attack and thus offline backups are necessary. Organizations can have a
higher level security with multi-layer, defense in depth, and more
advanced detection technology such as micro-virtualization and task
introspection offered by Bromium.